tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Malcolm <>
Subject Re: Detecting Expired Session via JavaScript?
Date Tue, 01 Dec 2015 20:11:08 GMT

On 12/1/2015 1:28 PM, Christopher Schultz wrote:
> Jerry,
> On 12/1/15 12:30 PM, Jerry Malcolm wrote:
>> I'm looking for a way to detect that the current session has expired (or
>> logged out via another tab on the browser).  I know I could just issue
>> dummy requests to the server and see if a login page comes back.  But
>> issuing requests automatically resets the session timer. I need a benign
>> way to query that doesn't keep the session alive forever.
>> I'm sure this problem has been solved before.  But basically, I want to
>> know that the session is no longer valid and force the user back to the
>> login page.  I know one possibility is to set the Tomcat timer to 30 min
>> expiration, and then keep a '29 minute' timer running in the browser.
>> But my clients can change the tomcat session timer length.
> When you generate your HTML page, toss the
> HttpSession.getMaxInactiveInterval into the page somewhere, then wait
> that number of minutes. Don't hard-code 29 minutes (though 31 would have
> been a better time to wait if you didn't want to automatically-extend
> the session).
>> And also this doesn't account for a logoff using the same session on
>> a different browser tab.  I'd really like a pro-active query method
>> if anything like that exists.
> Try something like this:
> - Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
>    (false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
>     is not set to "true")
Does this go in service.bat?  Separate line?

> - Write a quick page like this:
>    session-check.jsp:
>    <?jsp session="false" contentType="application/json" ?>
>    { "valid" : <%= request.isRequestedSessionIdValid() %> }
> Then you can request this page to see the value of "valid".
> I wasn't able to tell if the isRequestedSessionIdValid method is
> supposed to "touch" the session's last-update-timestamp. I read some
> code in Tomcat and didn't find a "touch" but that doesn't mean it
> couldn't change. I didn't see anything in the spec that specifically
> said that method doesn't "touch" the session.
This makes sense as long as it truly does not keep the session alive.    
Just to be sure I understand things, if I first access an unprotected 
file requiring no login, I'll have a valid session. But I'll still get 
the login page if later I access a protected file in that same session, 
correct?  Not a big deal.  I'll just have to only use this on pages that 
assure a login has occurred.  Also, I assume I should put the 
session-check.jsp in an unprotected folder, otherwise I'll get a login 
challenge before I even can get to the session-check, right?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message